PENETRATION TESTING

Uncover the unknowns in your environment in order to prepare and defend against cyber attacks. Learn business benefits of penetration testing, step by step process and methods invovled.

Get In Touch

We will not share your details with third parties.

Shall we keep you informed on the threat reports & useful guidance? No salesy newsletters. View our privacy policy.

What is Penetration Testing?

A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets.

By utilising ethical hacking services to identify these security flaws, businesses are able to find out the extent to which their assets (people, process and technology) are exploitable and can then take the necessary steps to reduce the risk.

Our technical security assessment (also known as pen test) services are tailored to help your business stand against a real cyber attack. A good pen testing service provider shall ensure your business objectives are aligned with cyber security programme. This provides the wider context needed to ensure cyber security remains a business enabler. Should you wish to read further about pen testing , our in-depth blog article on penetration testing is an excellent source. 

Penetration Testing

Benefits of Penetration Testing

Experienced team to understand your concerns

Common Security Vulnerabilities

Secure hardening vulnerabilities across networking, security, telecommunications & other internal equipment, OS and endpoint vulnerabilities.
Effective patch management plays critical role in closing window of opportunity for attackers, thats between the vulnerability disclosure and patch release.
Domain controllers design and configuration issues, group policy security review including audit policy, account lockout policy, user rights and security settings.

Logging and monitoring controls are reviewed to identify flaws in event collection, analysis and threat identification.

Application configuration errors, input validation, broken controls, authentication & session management checks.
We check against the configuration and use of encryption methods used for data at rest and transit. This ensures data is safe against tampering and eavesdropping attacks.
Authentication vulnerabilities are one of the most critical and important attack vectors. This area includes multiple test cases i.e. transmission channels, nature of input, insecure configurations, weak credentials & bypass attempts.
Based on our methodology and scope of the job, We perform two types of password reviews which include password policy reviews and a password cracking exercise followed by statistical analysis to find out the complexity & character patterns in use.
Searches are performed on local and network shares for interesting files, contents that would contain credentials and/or any sensitive information.
Web application penetration tests check around authorisation, input validation, injection issues such as Cross site scripting, SQL injection, XXE, session management & encryption vulnerabilities.

Penetration Testing Services

Our security assessment services cover a broad spectrum of domains such as cloud, wireless, mobile, stealth campaigns, phishing, IoT, external & internal networks and solutions.

Infrastructure Penetration Testing

Internal & External Network penetration testing services cover a broad spectrum of levels, including single build reviews, segregation reviews to network-wide assessments such as internal infrastructure and company wide assessments such as cyber health check.

INFRASTRUCTURE PEN TESTING

Web Application Penetration Testing

Our team of Cybersecurity experts will test and perform security assessments for all your web applications. This will include code reviews, threat modeling and database assessments.

WEB APP PEN TESTING

Cloud Penetration Testing

Most organizations are migrating to cloud due to ease of use and 24 x 7 availability. As an end user of cloud hosted solution, it is your responsibility to ensure that the security of any operating systems and applications hosted in the cloud are continuously maintained and tested.

CLOUD PENETRATION TESTING

Cyber Attack Simulation

Cyber Attack Simulations (Red teaming, Blue , Purple Team, Spear Phishing) are designed with multi-step attack scenarios to check how defensive controls react during a real time attack. Compared to pen testing, this is all out assessment of a company's defensive assets and much wider scope.

Mobile App Penetration Testing

Ensuring the safety and security of user data is paramount to running any mobile applications. Our tailored services are designed to identify potential threats and vulnerabilities before it’s too late.

MOBILE SECURITY TESTING

Bespoke Security Reviews

This comprehensive cybersecurity audit covers supply chain risk, M&A due diligence, IoT and a range of advanced penetration testing scenarios and bespoke projects that can be tailored for the security needs of your company. Remote working security assessment falls under this category.

Lets talk about your security concerns

Penetration Testing Methodology

In order to perform a security assessment, it is important to understand the context of assets in scope for the engagement. Our proven approach to security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations.  Cyphere’s pentesting engagement lifecycle methodology is broken down into five phases as demonstrated in the penetration testing methodology diagram. 
  1. Initial Scoping & Objectives Agreement
  2. Reconnaissance
  3. Scanning
  4. Exploitation
  5. Reporting 
  6. Remediation (Optional remediation consultancy to help mitigate risks identified during penetration testing)
Penetration Testing Lifecycle

Frequently Asked Questions

A technical hacking exercise performed to identify and safely exploit the weaknesses in an asset (systems, networks and/or applications).
To identify vulnerabilities in the customers networks, applications, systems or devices that could impact negatively on their business or reputation if they led to the compromise or abuse of systems. We ensure all our deliverables clearly mention whether a vulnerability has been manually verified, with a scanner or cannot be exploited. This realistic check is important to know when calculating how many vulnerabilities in your network are actually exploitable.
Three different penetration test types are black box (without prior knowledge), grey box (with some knowledge) and white box (with all prior knowledge) assessments. See blog article for details.
A vulnerability scan (also known as automated scan) is useful to identify low level hanging fruits such as missing patches or common vulnerabilities, it does not cover in-depth reviews of an asset. A penetration test (using manual approach) goes a step further by safely exploiting the identified weaknesses, establishing if they are not just false positives and uncovers flaws such as business logic issues that are otherwise uncovered during an automated test.

For penetration tests, our methodology encompasses OWASP Top 10, SANS Top 20 Critical Controls and CIS, NIST 800-115. Any other standards needed for specific projects can be included as per customer request. See our pen test blog post for detailed article on penetration testing.

In order to maintain quality and add value to customer investment, we do not utilise automated scanners that run and report tests. A range of open source and commercial pentest tools in addition to multiple scripts/utilities are utilised to uncover hidden and complex vulnerabilities.
Scope of the test depends upon the asset functionality. For instance, an internal network may consist of active directory environment covering 2000 users and an external network may have 5 servers. Similarly, an application is estimated based on its functionality, dynamic content and form fields, authentication, APIs, third party modules. Unauthorised or authorised exercises differ in timescales due to the lead time required to build a knowledge about the functionality of the asset.
Our Cyber Security Health Check Service is designed to help customers who have never performed penetration testing in their environment. This exercise covers multiple security assessments such as internal (active directory, servers, network equipment) and external infrastructure security assessment, secure firewall configuration and wireless network security review. This helps customers to assess their current position and prepare remediation plans to protect their critical information against the most common cyber attacks. This check can be tailored to suit customer requirements and business objectives.
Communication plays an important role during security assessments. We always prompt customers to inform us about fragile components during project initiation meetings. Low level attacks, Denial of Service attacks are explicitly deemed out of scope for all assessments.
Majority of penetration testing can be performed remotely via a VPN, IP restrictions, or similarly controlled setups. Wireless pen test and internal infrastructure security assessment are most effective when performed onsite.
A custom written report is prepared based on the findings. This report serves both technical and non-technical audiences with specific sections dedicated to strategic and tactical recommendations, raw/supplemental data, proof of concepts and risk details such as impact, likelihood and risk scorings. This is followed by mitigation advice along with related references to help customer teams with remediation.
Pen test remediation is sometimes a complex process due to the specialist security skill-set needed for IT teams. As part of our aftercare support, we provide help in preparing remediation plan to all our customers. Optionally, we provide remediation consultancy to ensure all agreed findings are mitigated in line with best security practices.

Our Engagement Approach

Customer Business Insight

The very first step remains our quest to gain insight into drivers, business, pain points and relevant nuances. As part of this process, we understand the assets that are part of the scope.

Services Proposal

It is important to gain grips with the reality, therefore, we always stress on walkthroughs or technical documentation of the assets. After asset walkthroughs, a tailored proposal is designed to meet your business’ specific requirements.

Execution and Delivery

Cyphere’s approach to all work involves excellent communication before and during the execution phase. Customer communication medium and frequency are mutually agreed, and relevant parties are kept updated throughout the engagement duration.

Data Analysis & Reporting

Execution phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels

Debrief & Support

As part of our engagement process, customers schedule a free of charge debrief with management and technical teams. This session involves remediation plan, assessment QA to ensure that customer contacts are up to date in the language they understand.

Know your unknowns

Recent Blog Entries

Cyber Security Glossary | Security Terms in Simple English

Cyphere, a penetration testing and managed security services provider, offers a detailed article on what is penetration testing and when, why, how it should be done. A good cyber security assessment is a business enabler for growth.

Securing Remote Workers – Advice for Individuals and Businesses

Secure remote worker advice for individuals and businesses to stand against today’s cyber security attacks. Cyphere shares tips straight from our experience consulting small businesses to big retailers and financial institutions.

Malware and Ransomware Attacks : Should You Pay The Ransom? What To Do If Your Business Is Hacked?

Learn about Malware and Ransomware Attacks, their differences. Should you pay ransom to cyber criminals? How to prevent malware incidents and what to do if your business is hacked?

Insider Threats : Types, Examples, Impact, Detection & Mitigation

Cyphere , a cyber security services provider specialising in technical risk offers insights into insider threats. This article covers types of attacks, examples, attack indicators, detection and mitigations.

Cyphere Awarded G-Cloud 12 Framework Agreement

Cyphere , a cyber security service provider, have been awarded G-Cloud 12 framework. Cyphere , as a supplier on G-Cloud 12, aim to help public sector organisations prevent cyber attacks on their most prized assets.

Small Business Cybersecurity Tips

Cyphere , a penetration testing and managed security provider, provides top ten cybersecurity tips for small businesses to protect against the most common cyber attacks. Learn how these tips help you towards an efficient cybersecurity strategy sure to enable business growth.

What is Penetration Testing?

Cyphere, a penetration testing and managed security services provider, offers a detailed article on what is penetration testing and when, why, how it should be done. A good cyber security assessment is a business enabler for growth.

CONTACT US